Fixed #32718 -- Relaxed file name validation in FileField.

- Validate filename returned by FileField.upload_to() not a filename passed to the FileField.generate_filename() (upload_to() may completely ignored passed filename). - Allow relative paths (without dot segments) in the generated filename. Thanks to Jakub Kleň for the report and review. Thanks to all folks for checking this patch on existing projects. Thanks Florian Apolloner and Markus Holtermann for the discussion and implementation idea. Regression in 0b79eb3691.
2025-10-24 06:06:09 +00:00 · 2021-05-13 08:53:44 +02:00
parent b81c7562fc
commit b55699968f
8 changed files with 140 additions and 17 deletions
--- a/docs/releases/2.2.23.txt
+++ b/docs/releases/2.2.23.txt
@@ -0,0 +1,15 @@
+===========================
+Django 2.2.23 release notes
+===========================
+
+*May 13, 2021*
+
+Django 2.2.23 fixes a regression in 2.2.21.
+
+Bugfixes
+========
+
+* Fixed a regression in Django 2.2.21 where saving ``FileField`` would raise a
+  ``SuspiciousFileOperation`` even when a custom
+  :attr:`~django.db.models.FileField.upload_to` returns a valid file path
+  (:ticket:`32718`).
--- a/docs/releases/3.1.11.txt
+++ b/docs/releases/3.1.11.txt
@@ -0,0 +1,15 @@
+===========================
+Django 3.1.11 release notes
+===========================
+
+*May 13, 2021*
+
+Django 3.1.11 fixes a regression in 3.1.9.
+
+Bugfixes
+========
+
+* Fixed a regression in Django 3.1.9 where saving ``FileField`` would raise a
+  ``SuspiciousFileOperation`` even when a custom
+  :attr:`~django.db.models.FileField.upload_to` returns a valid file path
+  (:ticket:`32718`).
--- a/docs/releases/3.2.3.txt
+++ b/docs/releases/3.2.3.txt
@@ -2,7 +2,7 @@
 Django 3.2.3 release notes
 ==========================

-*Expected June 1, 2021*
+*May 13, 2021*

 Django 3.2.3 fixes several bugs in 3.2.2.

@@ -13,3 +13,8 @@ Bugfixes

 * Fixed a regression in Django 3.2 that caused the incorrect filtering of
  querysets combined with the ``|`` operator (:ticket:`32717`).
+
+* Fixed a regression in Django 3.2.1 where saving ``FileField`` would raise a
+  ``SuspiciousFileOperation`` even when a custom
+  :attr:`~django.db.models.FileField.upload_to` returns a valid file path
+  (:ticket:`32718`).
--- a/docs/releases/index.txt
+++ b/docs/releases/index.txt
@@ -42,6 +42,7 @@ versions of the documentation contain the release notes for any later releases.
 .. toctree::
   :maxdepth: 1

+   3.1.11
   3.1.10
   3.1.9
   3.1.8
@@ -80,6 +81,7 @@ versions of the documentation contain the release notes for any later releases.
 .. toctree::
   :maxdepth: 1

+   2.2.23
   2.2.22
   2.2.21
   2.2.20